Documenting text messages for HIPAA compliance

Documenting text messages can help ensure your organization is staying HIPAA compliant, which protects patient data and helps maintain trust. 

HIPAA and text messaging

HIPAA was enacted to protect sensitive patient information from unauthorized access and disclosure. Under HIPAA, any PHI shared electronically (via email, text message, or other means) must be protected from breaches and unauthorized access. When it comes to text messages, ensuring HIPAA compliance means following specific guidelines to safeguard PHI.

See also: The guide to HIPAA compliant text messaging

Why text messaging requires careful handling

Text messaging offers undeniable convenience, but traditional SMS is not secure. Messages sent through standard SMS services are not encrypted, meaning they can be intercepted by unauthorized individuals. Healthcare providers must be cautious and use HIPAA compliant platforms, like Paubox Texting, to ensure text messages are secure.

Additionally, healthcare providers must document these communications to create an audit trail that can prove compliance if questioned during an audit or breach investigation.

See also: Common text messaging cyberattacks

Best practices for HIPAA compliant text message documentation

Use HIPAA compliant messaging platforms

The first step in ensuring that text message documentation complies with HIPAA is to use a secure messaging platform specifically designed for healthcare. These platforms should offer:

• Encryption: Messages are encrypted both in transit and at rest, preventing unauthorized access.
• Access controls: Only authorized users can view, send, or receive messages, with features like two-factor authentication to prevent unauthorized access.

Obtain patient consent

Before communicating PHI via text, healthcare providers must obtain written consent from the patient. This step is crucial, as HIPAA mandates that patients be informed of the risks associated with electronic communication. The consent should cover:

• The nature of the information that may be shared.
• The potential risks of texting, even when using secure platforms.
• The patient’s option to opt out of text messaging at any time.

Having this consent on record helps demonstrate that the healthcare provider has informed the patient about the risks and has obtained their permission to text.

Keep an audit trail

An essential aspect of HIPAA compliance is creating an audit trail of any communication containing PHI. Healthcare organizations should document each text interaction and include:

• Date and time: The time and date of the message exchange.
• Content of the message: A record of the content of the communication.
• Recipient information: The identity of the recipient to ensure the message was sent to the intended party.

“The audit trail requirement of 21 CFR Part 11 concerns primarily the history of entry and

modification of data items, namely data changes by whom, when and, optionally, why,” writes Keyuan Jiang and Xiang Cao in a study about implementing audit trails. “Since the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) [18], there has been an increasing push to safeguard study participants’ privacy and confidentiality by providing assurance that the privacy of a study participant is never breached.” 

HIPAA doesn’t apply to clinical studies, but the need for audit trail is a requirement for all aspects of healthcare.

Most HIPAA compliant messaging platforms automatically create and store this audit trail, making it easy for healthcare providers to retrieve these records in case of an audit or legal inquiry.

Limit the use of PHI in messages

When communicating via text, it’s important to use the minimum necessary PHI to accomplish the intended task. Limiting the amount of sensitive information shared can help minimize risk. For example:

• Avoid sharing a patient’s full medical history over text.
• Only include information relevant to the specific context, such as appointment details or medication reminders.
• If possible, use general identifiers and avoid including personal identifiers like Social Security numbers or full names unless necessary.

By following the principle of minimal disclosure, healthcare providers can reduce the chances of a serious data breach.

Regular training for staff

Healthcare providers should provide regular HIPAA training to all staff, emphasizing secure communication practices. Topics should include:

• The risks of texting PHI over insecure platforms.
• How to use secure messaging apps and platforms.
• How to respond in case of a breach or accidental disclosure.
• Reporting breaches promptly and following the organization’s incident response plan.

Incident response and breach documentation

Despite best efforts, breaches can happen. Whether due to human error (e.g., sending a message to the wrong recipient) or technical failure, incidents involving PHI must be reported and documented immediately.

HIPAA’s Breach Notification Rule requires healthcare providers to notify affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media, depending on the scale of the breach. A clear breach response plan that includes documentation is essential for HIPAA compliance.

Read also: Guidelines for HIPAA compliant documentation and record retention 

HIPAA compliant text message retention

Under HIPAA, healthcare providers must retain communication records involving PHI for at least six years, unless state laws require a longer retention period. Healthcare organizations should use secure storage solutions to store these records, ensuring that they can be accessed in case of future audits or legal inquiries.

Related: What is a HIPAA retention policy?

Key takeaways for HIPAA compliant text messaging

• Use secure messaging platforms: Avoid using traditional SMS for PHI and rely on HIPAA compliant messaging apps with encryption and secure access.
• Obtain written consent: Always get patient authorization before communicating PHI via text, ensuring they understand the risks.
• Maintain an audit trail: Document all text message exchanges, including the date, time, and content of the message.
• Limit PHI disclosure: Share only the minimum necessary information and avoid sensitive details where possible.
• Train your team: Ensure all staff members are trained in HIPAA compliance and secure communication practices.
• Be prepared for breaches: Have a breach response plan in place, and document any incidents thoroughly.

FAQs

Is it HIPAA compliant to send text messages containing PHI?

Yes, but only if the text messages are sent through HIPAA compliant, secure messaging platforms. Standard SMS is not HIPAA compliant because it lacks encryption and security features. 

What are the risks of using standard SMS for patient communication?

Standard SMS lacks encryption, which means messages can be intercepted, putting PHI at risk. It also doesn't allow for secure login, making it difficult to control who accesses the information. This can lead to violations of patient privacy and HIPAA regulations.